This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TheGrave
Contributor
‎2020-11-21 02:47 PM

Identity Awareness and Captive Portal - SOLVED

I'm having hard times figuring the relation beween HTTPS Inspection and Identity Awareness, and also how is Captive Portal supposed to function. I'm running R80.20, let me describe you the behaviours I notice:

1) Unless I enable HTTPS Inspection my AppC & URLF policy rule that matches as a source an Access Role and as a service either http/https or a ceratain website collection (e.g. Facebook, YouTube) does not function properly. I'm not sure whether it's a feature or a bug but actions like Ask/Inform/Drop with message simply do not work unless HTTPS Inspection is enabled. This proves to be the case for non-SSL sites as well, e.g. http://neverssl.com. I understand the dependency of matching URL collections like Facebok and YouTube on HTTPS Inspection (which SHOULD be documented in admin guides not shovelled down some sk) but I don't understand why plain HTTP does not function as expected with modern browsers (latest Edge and Firefox). Perhaps because Captive Portal must redirect a non-https website to an https-website? Some crappy code in R80.20? Go figure.

2) With HTTPS Inspection turned on everything works as expected for both HTTP and HTTPS but then comes the case of having an accept rule with "Enable Identity Captive Portal". Now this beautiful checkbox puts a requirement on the rule to use an access role either as a source or destination (destination doesn't make much sense to me but anyway). Now, if you create an access role object if you do not place any restrictions on it it will match pretty much every user (logged in to a domain, non-domain user, anybody) so in theory all traffic should go to Captive Portal, right? No, it doesn't. If I put a restriction on e.g. IP and user group from AD I see in the logs the identity of the user is known but still no redirection to Captive Portal. It wouldn't make much sense anyway, right? You already know who the user is, why redirect it to enter user and pass again? So I'm kinda missing the idea behind this scenario completely (a scenario quoted in many admin guides, study materials, etc.). Again, I'm not sure why redirection doesn't take place, could be a bug. Don't have an R80.40 to test at the moment.

0 Kudos
6 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events